Email Verification Links Can Lead To Account Takeovers

A legitimate verification link can hijack your session. An attacker sends you a link from a trusted domain. You click it. You get logged out of your account and logged into the attacker's account. You might not even notice.

Here is how the attack works:

  • Register Account A and verify it. Stay logged in.
  • Register Account B in a private window. Do not verify it yet.
  • Copy the verification link for Account B.
  • Open that link in the browser where Account A is active.
  • Result: Account B verifies. Account A logs out. The browser session switches to Account B.

An attacker uses a similar email address to trick you. They disguise the link as a support request. This allows them to steal subscriptions, access your files, or gain your permissions.

The attack is even worse if the link uses a GET request. An attacker can hide the link in an image tag on a website. The attack happens silently without you clicking anything.

Risks of this flaw:

  • Forced session hijacking
  • Silent account switching via CSRF
  • Subscription theft
  • Data theft

How to fix it:

  • Use single-use tokens. Invalidate the token immediately after one use.
  • Use short token expiry. Links should expire in 15 to 60 minutes.
  • Implement session-aware verification. The backend must check if the active session belongs to the account being verified. If they do not match, reject the request.
  • Do not touch existing sessions. Verifying one account should never affect another session.
  • Bind tokens to the specific email address. The token must only work for the intended user.

Authentication flows are often overlooked. A verification link feels safe because it comes from a trusted domain. This trust makes it dangerous if you handle sessions poorly.

Always ask: what happens if the wrong person clicks this link?

Source: https://dev.to/bijan53c/email-verification-link-leading-to-forced-account-takeover-3dgp